Chronology rf Virus from the MT Perspective 


Jon Rochilis jon@bitsy.'mi?edu 



The first posting mentioning the virus was by Peter Yee (Nasa Ames) at 8;28pm est on Wednesday to the. 
tcp-ip mailing list Peter stated that UCB, UCSD, LLNL, Stanford, and NASA Ames had been attacked, 
and described the use of sendmail to pull over the virus, including the x* files found in /usr/tmp. The virus 
was observed to send vax and sun binaries, have DES tables built in, and made some use cf .rhosts and 
hosts.equiv files. A Berkeley'extension was given and Phil Lapsley and Kurt Pires were listed as being 
knowledgable about the virus. 


At 3; 10am the first notice cf the virus at MET was posted at AMT by Pascal Chesnais 
{lacsap@media-lab.mit.edu). The motdon media-lab read: 

- lacsap Nov 3 1988 03:10am 

DO NOT CALL THE GARDEN. IF YOU HAOT TO PROTECT YOUR MACHINE TURN OFF SENDMAIL 
OR JUST TURN YOUR MACHINE OFF, OR UNPLUG IT FROM THE NETWORK! I I! DO NOT CALL 
THE GARDEN" ! ! ! 


Pascal had spotted the virus earlier but assumed it was Just "a local run away program". The group at 
AMT figured out after midnight that it was a vims and it was coming in via mail. The response was to 
such down infected machines. The network groups monitoring information shows the media lab gateway, 
first went down at 11:40pm Wednesday, but was backup by3;00am, Pascal requested that the Network 
group isolate the building during the Thursday 11;30pm and it remained so Isolated until Friday at 
2;30pm. 


Pascal now reports that logs on mecf/a-/ab show several scattered attempts ttloop: peer died: 
No such file or directory messages. There were a few every couple of days, several durning 
the Wednesday afternoon and many starting at 9:48pm. These are caused by opening a telnet 
connection and immediately closing it; specifically inetd spawns a tel netd, but when telnetd telnetd goes 
to read from the network, it finds the connection has disappeared. The virus did this in order to determine 
whether or not to try to infect a target machine.' The logs on media-lab start on October 25th and the 
following log entries made before the swarm on Wednesday night. 


Oct 26 15:01:57 media-lab 
Oct 28 11:26:55 media-lab 
Oct 28 17:36:51 media-lab 
Oct 31 16:24:41 media-lab 
Nov 1 16:08:24 media-lab 
Nov 1 18:02:43 media-lab 
Nov 1 18:58:30 media-lab 
Nov 2 12:23:51 media-lab 
Nov 2 15:21:47 media-lab 


telnetd[23180] : ttloop: 
telnetd[23331] : ttloop: 
talnetd[12614] : ttloop: 
telnetd[18518] ; ttloop: 
telnetd[16125] ; ttloop: 
telnetd[21889] : ttloop: 
telnetd[24644] : ttloop: 
telnetd[4721]; ttloop: 
telnetd[13628] : ttloop: 


peer died: No such file or 
peer died: No such file or 
peer died: No such file or 
peer died: No such file or 
peer died: No such file or 
peer died: No such file or 
peer died: No such file or 
leer died: No such file or d 
peer died: No such file or 


'The assumption that machines not running a telnetd are notvulernabla to attack is quits interesb’ng. 1 allowed systems like the 
MIT Eroject Athena maiihub, athena.mit.edu, (on which we pcrfcred to use only kerberos authentication), to escape unscathed. 
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It is not clear whether these represent early testing of the virus, or if they were just trueiy accidental 
premute closings of telnet connections. With hindsight we can a telnetd that logged Its peer address 
(even for such error messages) would have been quite useful in tracing the progress and origin cf the 
virus. 


At 3;34am est on Thursday, Andy Sudduth from Harvard made his anonymous posting to tcp-lp. The 
posting said that a virus might be lose on the Internet and that there were three steps to take to prevent 
furthur transmission. This included not running fingerd or fixing it not to overwrite the stack when reading 
its arguments from the net^, be sure sendmail was compiled without debug, and not to run rexecd. 


The posting was make from an Annex terminal server at from Aiken (sp?) Center (?) at Harvard, by 
teineting the SMTP port of lris.brown.edu. This is obvious since the message was from ”foo%bar.apar" 
and because the last line of the message was 'qui\177\177\177", an attempt to get rubout processing out 
of the brown SMTP server, a common mistake when faking Internet mail. 


Itwas ironic that this posting did almost no good. The path it took to get to athena was: 

Received: by ATHENA.MIT.EDU (5.45/4.7) id AA29119; Sat, 5 Nov 88 05:59:13 EST 
Received: from RELAY.CS.NET by SRI-HIC.ARPA with TCP; Fri, 4 Nov 88 23:23:24 P 
Received: from ca.brown.edu by RELAY.CS.NET id «*05627; 3 Nov 88 3:47 EST 
Received: from iris.brown.edu (iris.ARPA) by cs.brown.edu (1.2/1.00) 
id AA12595; Thu, 3 Nov 88 03:47:19 est 
Received: from (128.103.1.92) with SMTP via tcp/ip 

by iris.brown.edu on Thu, 3 Nov 88 03:34:46 EST 

There was a 20 hour delay before the message escaped from re/ay.cs.net and got to sri-nic.arpa. 
Another 6 hours went by before the message was recived by athena.mit.edu. Other site have reported 
similar delays. 


At 5:58am Thursday morning Keith Bosi\c bostic@ol<ee(e.berkeley.edu) made the virus bugfix posting. 
The message went to the tcp-ip, comp.bugs. 4bsd.ucb-fixes, news. announce , and 
news. sysadmin . It supplied the compile without debug fix to sendmail (or patch the debug command to 
a garbage string), as well as the very wise suggestion to rename cc and Id, which was effective since the 
virus needed to compile and link itself. 


Gene Spafford {[spaf@purdue.edu]) forwarded this to nntp-manager 3 @ucbvax.berkeiey.edu at 
8:06am. Ted Ts'o {tytso@athena.mit.edu) forwarded this to an internal Project Athena hackers list 
{watchmakers@athena.mit.edu) at 10:07. He expressed disbelief ("no, it's notApril lst"),and thought we 
at Athena were safe. Though no production Athena servers were infected sen/eral private workstations 
and developement machines were, so this proved overly optimistic 


'this was a level of detail that only the originator of die virus could have know at that point. To oiir knowledge nobody had yet 
identified the finger bug, since it only alfected certain vaxen, and certainly nobody had discovered its mechanism. 
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During Thursday morning Ray Hirschfeld {ray@math.mit.edu) spotted the virus on the MIT math 
department suns and shutdo\A/n the math gateway at 10:15am. It remained down until 3:15pm. 


Gene Spafford posted a message at 2:50pm Thursday to a large number of people and mailing lists 
include nntp-managers which is how we saw it quickly at MIT. it warned the virus used rsh and looked 
in hasts.equiv and .rhosts for more hosts to attack. 

Around this time the MIT group in E40 (Project Athena and the Network Group), called Milo Medin 
{medln@nslpQ.nasa.gov) and found out much of the above. Many of us had not yet seen the messages. 
He. pointed out that the virus just loved to attack gateways (found via the routing tables) and remarked 
that it must have not been effective at MIT were we run our own C Gateway code, not Unix. Milo also 
informed use that DCA had shut down the mailbridges. He pointed us to the group at Berkeley and Peter 
Yee specifically. 

At about 6pm on Thursday, Ron Hoffmann (/jo/ifrnann(®d/fsy.m/f.ea'u) observed the virus attempting to log 
into a standalone router using the Berkeley remote login protocol; the remote login attempt originated 
from a machine previously believed immune^. The virus was running under the userid cf nobody, and it 
appeared that it had to be attacking through the finger service, the only network service running under 
that userid. At that point, we called the group working at Berkeley: they confirmed our suspicions that 
virus was spreading through fingerd. 

On the surface, it seemed that fingerd was too simple to have a protection bug similar to the one in 
sendmail; it was a very short program, and the only exec it did involved a hard-coded pathname. A 
check of the modification dates of both /etc/fingerd and /usr/ucb/finger showed that both had been 
untouched, and both were identical to known good copies located on a read-only filesystem. 

Berkeley reported that the attack on finger involved "shoving some garbage at it"; clearly some sort of 
overrun buffer wound up corrupting something. 


Bill Sommerfeld {wesommer@athena.mit.edu) guessed that this bug might involve overwriting the saved 
program counter in the stack frame; when he looked at the source for fingerd, he found that the buffer it 
was using was located on the stack; in addition, the program used the C library gets function, which 
assumes that the buffer it is given is long enough for the line it is about to read. To verify that this was a 
viable attack, he then went on to write a program which exploited this hole in benign way."* 

A risks digest came out at 6:52pm. 1 included a message from Cliff Stoll of Harvard 

{Sloil@dockmaster.arpa) which described the spread of the virus on milnet and suggested that milnet 


®lt was running a mailer with debugging turned off 


khs test virus sent the string "Bozol" back out the network connection. 
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sights might want to remove themselves from the network. Stoll also made the wonderful statement, 
“Thisis bad news.” Other messages were from Spafford, Peter Neumann {neurnann(§>csl.sri,com), and 
Matt Bishop {blshop(§ibear.dartmouth.edu), They described the sendmail propagation mechanism. 

In the S!PB office Stan Zanarotti {srz(3)lc$.miledu) and Ted Ts’o had managed to get a core dump from 
the virus running on a machine in tlie MT Lab for Computer Science (LCS) as well as the vax binary. 
Stan and Tim Sheppard (shep@ptt./cs.nut.ediA\ad been dealing with the virus from llam Thursday over 
in Tech Square. Their first reaction was to shut down the network by powering off DELNI’s. By 1pm Tim 
had verified that no files had been modified on a//spice./sc,mif.edm\A had installed recompiled sendmail. 
(Tim also reloaded a root partition from tape, just to ensure that he was running trusted software). 

Ted and Stan started attacking the vims. Pretty soon they had figured out the xor encoding cf the strings 
and were manually decoding strings, ffy 9:00pm Ted had written a program to decode ail the strings and 
we had the list cf strings used by the program, except for the built-in dictionaiy which was encoded in a 
different fashion (by setting the meta bit of each character). 

At the same time they discovered the ip address of ernie.berke/ey,edu,\2Q.Z2AZ7AZ, and proceeded to 
take apart the send-message routine to figure out what it was sending to emie, how often, and if a 
handshake was involved. Stan told Jon Rochlis <jon(aibitsy.mit.8du> in the MIT Network Group of the 
SIPB group’s progress. The people in E40 called Berkeley and reported the finding of ernie’s address. 
Nobody seemed to have any idea why that was there. 

About this time a camera crew from WNEV Channel 7 (the Boston CBS affiliate) showed up at the office 
of James D. Bruce (Jdb(S>delphi.mit.edu), VP for Information Systems. Pie cxilled Jeff Schiller and headed 
over to E40. Jeff and Jim were intendewed. The 80,000 number cf hosts was stated along with an 
estimate of 10% infection cf the 2000 hosts at MIT. The infection rate was a pure guess. The vims was 
the lead story on the llpm news, and we were quite suprised that the real world would pay that much 
attention, Pieces of the footage shot then were shown on the CBS morning news (but by that point were 
w'ere too busy to watch). 

Sheppard shows up in E40, then punts to Tech Square to check his netwatch data for ernie packets, 
(The machine with the data had been unplugged from the network,) 

Serious decompiiing began at midnight. Stan and Ted came to E40. 


John Kohl had the virus running by Sam and obseived many things. They were confirmed by the 
decompiling which was almost done. 


List times cf berkeley conversations and ftp exchanges cf source code. 
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Press conference in E40at noon. 7 camera aews, tons of print media. Total zoo until 3pm. 
Bostic asks for our affilations and if we like the idea of posting bugfixes to the virus (we didi). 
The Today show comes to the SIPB office Saturday to find out about “hackers”. 

MIT Cast rf Characters 


Media Lab 

Pascal Chesnais <lacsap@media-!ab.media.mit.edu> 

VP Information Services 

James D. Bruce <jdb@delphi.mit.edu> 

NetworkGroup/Athena/SIPB 
Jeff Schilier<jis(a)bitsy.mit.edu> 

Athena/SiPB 

Mark Eichin <eichin@athena.mit.edu> 

LCS/SIPB 

StanZanarotti<srz(S)lcs,mit.edu> 

Athena/SIPB 

TedTs’o .ztysto@athena.mit.edu 
Apoilo/Athena/SIPB 

Wiiliam Sommerfeld <wesommer@athena.mit.edu> 

DEC/Athena/SIPB 

John Kohi<jtkohl@athena.mit,edu> 


Athena/SIPB 

Ken Raeburn <raeburn@athena.mit.edu> 

NetworkGroup/SIPB 

Jon Rochlis<]on@bitsy.mit.edu> 


Media Lab 



Hal Birkeland <hkbirl<e@athena.mit.eciu> 


Netwotk Group 

Ron Hoffmann<hoffmann@bitsy.miLedu> 


Athena/SIPB 

Richard Basch<probe@athena.mit.edu> 


LCS 

Tim Sheppard <shep@ptt.lcs.mit.edu> 
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